[Samba] Noob question: user moved to a OU dissapear from getent, but groups don't

Rowland Penny rowlandpenny at googlemail.com
Tue Apr 21 14:37:33 MDT 2015

On 21/04/15 20:53, Daniel Carrasco Marín wrote:
> Thanks to both for answers.
> I'm using the latest version of wheezy-backports (Version 4.1.17-Debian)
> and in this server i don't need to map the AD users to linux tools (i'm
> doing tests before change anything in production servers), but i'm planing
> to use a File Server and a Print Server in separated machines and I need to
> have access to AD users. If I disable winbind entries on that servers then
> all OS tools like getent, chown, setfacl... cannot use the AD users (i've
> done some test and I've got a non existent user/group error), and I need
> it, then: can i use Winbind without problems in client machines?

You seem to want to set up a member server with an AD DC, if this is the 
case, then yes, this is the recommended way, see:


I would also suggest that you test that you can get users ID from AD.

>>>>>>>           netbios name = PDC.CASA.RED
>>>> netbios name = PDC
>>>> Dots are not allowed in host names.

The dots are not really the problem, the problem is that you are using 
the entire FQDN for the netbios name.

> Ok, good to know it. Was copied from the old samba domain.
>>>>           winbind normalize names = yes
> Why this entrie can be problematic? it changes the spaces in names for
> underscores, usefull with Cups (i can't add a group with spaces to allowed
> groups). I've curiosity.

This is not a problem, it makes winbind turn names like 'Domain Users' 
into domain_users which is usable by Unix.

> For now I know that I've to change the netbios name in smb.conf before the
> classic upgrade (the old server netbios is wrong), I've to delete some tdb
> files, and I've to leave the smb.conf without change anything after the
> upgrade.

The upgrade should leave you with a fully working AD DC, you shouldn't 
have to alter anything, except perhaps adding template shell & template 
homedir lines and/or adding shares.


> Tomorrow i'll do some test and i'll report here how it was.
> Thanks again to both and greetings!!
> 2015-04-21 20:08 GMT+02:00 Andrey Repin <anrdaemon at yandex.ru>:
>> Greetings, Daniel Carrasco Marín!
>>> I've migrated the domain copying all files in /var/lib/samba and
>> /etc/samba
>>> from original domain to new domain, I've edit the smb file to change the
>>> "passdb backend" line to match the old server (because original is
>>> localhost and give me an error connecting), and then I run this command:
>>> samba-tool domain classicupgrade --dbdir=/home/user/samba
>> --use-xattrs=yes
>>> --realm=casa.red --dns-backend=BIND9_DLZ /home/user/smb.conf
>>> After all the progress i change the bind config file to add the samba
>> file
>>> (matching with the Bind Version 9.9).
>>> When I connect to new domain all users and groups are in "Users" folder,
>>> then if i move all groups to new OU "getent group" works perfect, but if
>> i
>>> move some users to new OU then it dissapear from "getent passwd". I've
>> done
>>> some test and is strange because I've 100 users:
>>>     - I've moved some users and have dissapear from getent (88 users).
>>>     - Later i've move some other users and the result was 94 users.
>>>     - Later without touch anything it goes back to 100 users.
>>>     - Later again i've move another user and has changed to ~74 users (i
>>>     don't remember the exact number).
>>>     - And now it's back to 100 users and for now is not changing...
>> If you rely on "getent passwd" enumerating whole winbind userlist...
>> I have news for you - you shouldn't. Depends on the winbind configuration,
>> it
>> may or may not list users, and do so in a very lean manner.
>> If you REALLY want to know if certain users are accessible to the system,
>> specify user name or uid as a filter.
>>> Maybe is a problem of cache, but i don't know why the cache wasn't be
>>> updated after all i did. Even i've purged the winbind package and deleted
>>> the cache files to install a clean version of winbind and the problem
>>> persist...
>>> Is an AD, but if I use the smb.conf provided by classicupgrade then
>> getent
>>> don't show the AD users/groups (it don't have any info about Winbind).
>>> Maybe I should create a hybrid adding only the Winbind entries?
>>> Anyway, tomorrow i'll try because i've to revert again to the backup
>> image
>>> and is late.
>> As has been said, place your smb.conf back to where it was, and don't
>> touch it
>> unless you know what you are doing.
>> A number of issues apparent even for my untrained eye.
>>>>> Here's my samba cfg:
>>>>> [global]
>>>>>           workgroup = CASA
>>>>>           realm = casa.red
>> Realm in all caps.
>>>>>           winbind nested groups = No
>>>>>           winbind separator = +
>>>>>           winbind normalize names = yes
>> These will bite you. Soon.
>>>>>           idmap config CASA : backend  = ad
>>>>>           idmap config * : backend = tdb
>>>>>           idmap config * : range =  1000-20000000
>> Where's idmap range for CASA ?
>>>>>           # Desactivar Cups en este servidor
>>>>>           printcap name = /etc/printcap
>>>>>           load printers = no
>> printcap name = /dev/null
>> printing = BSD
>> --
>> With best regards,
>> Andrey Repin
>> Tuesday, April 21, 2015 21:01:29
>> Sorry for my terrible english...

More information about the samba mailing list